SHA1 collision found

Robert J. Hansen rjh at sixdemonbag.org
Thu Feb 23 19:58:06 CET 2017


> Today was announced that SHA1 is now completely broken
> https://security.googleblog.com/2017/02/announcing-first-sha1-
> collision.html

SHA-1 is broken *for some purposes*.  That's scary enough, trust me.  Let's
not overstate things.

For the last ten years I've been saying, "The smoke alarm has gone off and
we think there's a fire.  There's no danger to anyone right now, but we need
to move to the exits in an orderly fashion.  Start migrating away from SHA-1
right now, so that when the collisions happen you've already been using
SHA256 for years."

Today we've seen the fire.  It's not surprising.  We knew this was coming,
we just didn't know when.  If you're still using SHA-1, you probably need to
begin migrating *right now* before the fire gets worse.  If you don't know
how, ask on this list and we'll help you.  But don't panic: we can help.

A question for the list: should we put a "Migrating to SHA256" section in
the FAQ?





More information about the Gnupg-users mailing list